If you have been online in the past few day's chances are that you have seen the headline "new vulnerability discovered in OpenSSL" or something along those lines. This new vulnerability has been dubbed as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), and it is said to effect over 11 million websites and email services worldwide.
DROWN is a cross-protocol attack that uses weaknesses in the SSLv2
implementation against transport layer security (TLS), and that can "decrypt passively collected TLS sessions from up-to-date clients." While latest versions don't allow SSLv2 connections by default,
administrators sometimes, unintentionally override those settings in an
attempt to optimize applications and this is where the problem lies. The DROWN attack could allow an attacker to
decrypt HTTPS connections by sending specially crafted malicious packets
to a server or if the certificate is shared on another server,
potentially performing a successful Man-in-the-Middle (MitM) attack. It has been reported that more than 33% of all HTTPS servers are vulnerable to DROWN based MITM attacks.
If you want to see if your website is vulnerable to this critical security hole you can check out https://drownattack.com/. If your website is vulnerable there is good news in the fact that an academic
researchers uncovered the DROWN security hole and a patch for the
vulnerability has already been made available with an OpenSSL update. And just in case you get to happy the Bad news is that the DROWN attack
can be conducted in just under a minute and now that the bug has been
disclosed, it may be actively used by hackers to attack servers. So really this isnt something that you want to be putting on the long finger, OpenSSL 1.0.2 users are strongly advised to upgrade to OpenSSL 1.0.2g and OpenSSL 1.0.1 users are recommended to upgrade to OpenSSL 1.0.1s. And if you are using another version of OpenSSL for security, you should move up to the newer versions 1.0.2g or 1.0.1s.
In order to protect yourself against the DROWN attack, you should ensure SSLv2 is disabled, as well as make sure that the private key isn’t shared across any other servers. Those already vulnerable to DROWN attack do not need to re-issue certificates but are recommended to take action in order to prevent the attack immediately. And remember the fact that this has been widely publicized you can be sure that hackers are actively targeting websites that have not implemented the above so get your IT team moving.
